OCC IT Examination Readiness for Community Banks (2026 Guide)

Your OCC examination is on the calendar. The IT portion makes most community bank executives nervous, not because the technology is bad, but because nobody told them what examiners actually grade.

The OCC does not publish a rubric. But they publish enough guidance to build one. And in 2026, two changes make this worth revisiting even if your institution has been through multiple examination cycles. OCC Bulletin 2025-24, effective January 1, eliminated the mandatory policy-based requirements that had governed community bank examinations for years. The FFIEC Cybersecurity Assessment Tool, which most community banks used for cybersecurity self-assessment, was retired on August 31, 2025.

This article explains the URSIT framework the OCC uses to rate your IT, the specific finding categories where community banks consistently receive deficiencies, what examiners look for in cloud environments, and how to build a pre-examination readiness program around Microsoft 365.

How OCC Examines Your IT: The URSIT Framework

The OCC rates information technology using URSIT, the Uniform Rating System for Information Technology. Every community bank receives a URSIT composite rating on a 1-to-5 scale, with 1 being the strongest and 5 being the weakest. That composite does not exist in isolation: it feeds directly into your CAMELS composite rating, specifically through the Management and Sensitivity to Market Risk components.

URSIT has four rated components. Examiners score each separately and then derive the composite. Understanding what each component covers tells you exactly where examination risk concentrates for your institution.

The Support and Delivery component draws the most examiner scrutiny for community banks under $3 billion in assets. That is where access controls, patch management, cloud configurations, and incident response programs live. A deficiency in Support and Delivery is also the most operationally visible finding, which means your board and regulators both see it.

The 18-month cycle is a reward for strong risk management, not a permanent status. Any individual URSIT component rated 3 or higher can trigger a return to annual examinations regardless of asset size or CAMELS composite. Institutions that maintain strong URSIT ratings through consistent configuration management earn the longer cycle. Institutions that drift earn more frequent examinations.

Two Regulatory Shifts Every Community Bank Needs to Know in 2026

Community bank compliance programs often calibrate to how past examinations went. That is a reasonable approach, but 2026 brought two changes that make a fresh assessment necessary before your next examination cycle.

OCC Bulletin 2025-24: The Supervisory Reset

Effective January 1, 2026, OCC Bulletin 2025-24 eliminated all mandatory policy-based examination requirements for community banks. The prior model required examiners to verify that specific policies existed and met documentation standards. The new model is risk-proportionate.

In practice, this means examiners now focus on whether your risk management decisions are documented and defensible, not whether you have a policy document that matches a checklist of required topics. A community bank with a well-documented, operationally realistic IT risk assessment that connects risk identification to control implementation will fare better than one with a full policy library that does not connect to how the institution actually operates.

The shift also changes how you should prepare. Before 2026, the standard approach was to audit policies against the FFIEC IT Examination Handbook. After 2026, the better approach is to map your actual IT controls to your documented risk decisions and ensure examiners can trace from risk identification to control deployment to monitoring results. Documentation of why a risk decision was made matters as much as documentation that the decision exists.

The FFIEC CAT Is Retired: What Replaces It

The CAT served community banks as a maturity benchmarking tool from 2015 through 2025. Its retirement matters for two specific reasons. First, OCC examiners will increasingly use NIST CSF 2.0 language and function categories in examination findings. Institutions that still organize their cybersecurity program around CAT maturity levels and CAT declarative statements may have a harder time mapping examination feedback to their internal program structure. Second, NIST CSF 2.0 added the Govern function, which the original 2014 framework did not include. That function covers cybersecurity governance, organizational context, and risk strategy, which maps directly to the URSIT Management component.

For most community banks, the CAT-to-NIST CSF 2.0 migration is not a wholesale rebuild. CAT declarative statements map reasonably well to the NIST CSF 2.0 Identify, Protect, Detect, Respond, and Recover functions. The Govern function additions require the most attention, particularly for governance bodies that have not formally documented their cybersecurity risk appetite or oversight structure. ABT's NIST CSF 2.0 Assessment for Financial Institutions covers the full framework transition including the Govern function gaps most community banks have not yet addressed.

Where Community Banks Receive OCC IT Findings

The OCC's 2025 Cybersecurity Report identified the most common IT deficiencies in community bank examinations. None are surprising in isolation. The pattern matters: these categories appear across institution sizes and examination cycles, which means institutions are addressing them once and not sustaining the fix.

Legacy Systems: The Finding That Follows Your Institution

Legacy systems earn findings not because they exist but because they lack documented compensating controls. An institution running Windows Server 2019 in an isolated network segment with specific access restrictions and enhanced monitoring is in a defensible position. An institution running the same server with no documentation of why it is still in production, what controls limit its exposure, and when it will be replaced is not.

Before your examination, inventory every system running software past vendor end-of-life. For each one, document the business reason it has not been replaced, the compensating controls limiting its exposure, and the planned remediation timeline. That documentation converts a potential finding into a management decision with a plan. Examiners can accept a documented risk decision. They cannot accept an undocumented gap.

MFA Gaps: The Finding That Should Not Exist in 2026

The OCC has cited multi-factor authentication deficiencies in community bank examinations consistently since 2020. By 2026, MFA for privileged access and remote access is a baseline expectation, not a leading practice. Yet it continues to appear in findings for one reason: MFA is deployed for general staff but not enforced by policy for administrative accounts, service accounts, and privileged role holders.

Microsoft 365 Entra ID Conditional Access policies can enforce MFA for all privileged roles and all remote access sessions in a way that is documentable, auditable, and testable on demand. The gap OCC examiners find is not a technology gap. It is a configuration gap. The technology to close it is already in your Microsoft 365 subscription.

Third-Party Vendor Management: Expanding OCC Scrutiny

OCC examiners have expanded vendor management scrutiny significantly since OCC Bulletin 2020-10 updated the third-party risk management framework. For cloud vendors, examiners now expect current SOC 2 Type II attestation reports, not vendor-provided security questionnaires or a SOC 2 Type I. An outdated report from 18 months ago is insufficient for material vendors. For institutions evaluating their Microsoft 365 plan, the compliance tooling available for vendor documentation and eDiscovery varies across plans. Understanding which Microsoft 365 plan your institution should be on is part of the examination readiness picture.

Cloud Controls: What OCC Examiners Actually Check

OCC Bulletin 2020-46a established the OCC's cloud computing risk management expectations. In 2026, cloud is no longer a specialty topic in IT examinations. It is the primary operating environment for most community bank systems, including Microsoft 365 tenants, core banking vendor platforms, document management systems, and loan origination software.

When examiners review a community bank's cloud environment, they are looking for evidence of six specific control categories. Microsoft 365 addresses all six natively, but the controls must be configured, not just licensed.

Audit Log Retention: The Gap Most Community Banks Discover at Examination

The OCC expects audit logs retained for at least 12 months, accessible for examination on request, and covering all administrative and privileged access activity. Microsoft 365's default audit log retention for most Business Premium tenants is 90 days. That does not meet the OCC's 12-month expectation.

Purview Audit Premium extends retention to 180 days at minimum, with customizable policies supporting 1-year or 10-year retention for specific log categories. For community banks on Microsoft 365 Business Premium, Purview Audit Premium is available as an add-on. For institutions on E3, Purview Audit Standard is included but retention defaults to 90 days. The premium audit tier is a separate licensing decision for both plans.

This is also one of the URSIT Support and Delivery items examiners test with a specific documentation request. They will ask you to produce audit logs covering privileged access events for the prior 12 months. If you cannot produce 12 months of logs, you have a finding before the examination formally begins. Closing this gap before the examination takes less than a day to configure and a few months to build the log history.

Access Provisioning: The Gap You Cannot See Until Examination

OCC examiners now specifically review whether access provisioning and deprovisioning processes are automated or documented. The question is not just whether terminated employees lose access. It is whether your institution can demonstrate, with records, that access was revoked on a specific date for every departure. Manual processes that work reliably 95% of the time create a stale access exposure in the remaining 5%, and that 5% is exactly what examiners find in log reviews.

Entra ID lifecycle management, combined with access reviews configured in Entra ID Governance, provides the automated provisioning and deprovisioning trail OCC examiners expect. The AI and compliance tooling ABT deploys through Guardian manages these configurations as part of the standard M365 tenant setup for regulated financial institutions. For institutions evaluating where to start on cloud governance, the AI and Copilot Readiness Assessment includes an evaluation of the cloud control configuration that aligns directly with OCC examination expectations.

The OCC URSIT Framework: four components that determine your IT rating and feed into CAMELS. Source: FFIEC IT Examination Handbook; OCC URSIT guidelines

How Microsoft 365 Addresses OCC IT Examination Requirements

Community banks running Microsoft 365 have an examination readiness advantage that most institutions underuse. The platform addresses a substantial portion of the OCC's cloud control, access management, and audit log requirements natively. The issue is not the platform. It is the configuration.

Guardian, ABT's operating model for Microsoft 365 in regulated financial institutions, deploys 80 policy templates across 11 configuration categories mapped to regulatory requirements including OCC Bulletin 2020-46a and the GLBA Safeguards Rule. Those policies cover the exact control areas OCC examiners review: Conditional Access policy deployment, Defender for Office 365 configuration, Exchange settings, data loss prevention, retention policies, and device management through Intune.

The institutions that receive strong URSIT Support and Delivery ratings typically share one characteristic: their Microsoft 365 tenant configurations are documented, verified, and consistent with their risk decisions. Examiners can pull an admin portal screenshot, verify a Conditional Access policy is in enforcement mode, and trace it to a documented control decision in about 10 minutes. That is what "documentable and defensible" looks like in practice.

For institutions building or updating their IT examination readiness program, the five steps in the next section cover the Microsoft 365 configuration areas that OCC examiners review most frequently for community banks.

Building Your IT Examination Readiness Program

OCC IT examination readiness is not a project you complete before each examination. It is a configuration management discipline you maintain between examinations. The institutions that consistently receive strong URSIT ratings are not the ones that scramble to prepare. They are the ones that keep their configurations aligned with OCC expectations year-round.

The following five steps are structured around the Microsoft 365 control areas OCC examiners review most frequently for community banks. Each step is testable before the examination, so you know where you stand before examiners do.

OCC IT Examination Readiness Checklist: six control categories community banks should verify before their next OCC examination. Source: OCC 2025 Cybersecurity Report; OCC Bulletin 2020-46a

Frequently Asked Questions